diff --git a/CHANGES.txt b/CHANGES.txt
index f43935c8723..72a1e3e6ffa 100644
--- a/CHANGES.txt
+++ b/CHANGES.txt
@@ -220,6 +220,9 @@ Trunk (unreleased changes)
     HADOOP-6833. IPC leaks call parameters when exceptions thrown.
     (Todd Lipcon via Eli Collins)
 
+    HADOOP-6932.  Namenode start (init) fails because of invalid kerberos 
+    key, even when security set to "simple" (boryas)
+
 Release 0.21.0 - Unreleased
 
   INCOMPATIBLE CHANGES
diff --git a/src/java/org/apache/hadoop/security/SecurityUtil.java b/src/java/org/apache/hadoop/security/SecurityUtil.java
index 00187bd6f24..44ef31ef329 100644
--- a/src/java/org/apache/hadoop/security/SecurityUtil.java
+++ b/src/java/org/apache/hadoop/security/SecurityUtil.java
@@ -174,7 +174,7 @@ public class SecurityUtil {
   }
 
   /**
-   * If a keytab has been provided, login as that user. Substitute $host in
+   * Login as a principal specified in config. Substitute $host in
    * user's Kerberos principal name with a dynamically looked-up fully-qualified
    * domain name of the current host.
    * 
@@ -192,8 +192,9 @@ public class SecurityUtil {
   }
 
   /**
-   * If a keytab has been provided, login as that user. Substitute $host in
-   * user's Kerberos principal name with hostname.
+   * Login as a principal specified in config. Substitute $host in user's Kerberos principal 
+   * name with hostname. If non-secure mode - return. If no keytab available -
+   * bail out with an exception
    * 
    * @param conf
    *          conf to use
@@ -208,9 +209,14 @@ public class SecurityUtil {
   public static void login(final Configuration conf,
       final String keytabFileKey, final String userNameKey, String hostname)
       throws IOException {
-    String keytabFilename = conf.get(keytabFileKey);
-    if (keytabFilename == null)
+    
+    if(! UserGroupInformation.isSecurityEnabled()) 
       return;
+    
+    String keytabFilename = conf.get(keytabFileKey);
+    if (keytabFilename == null || keytabFilename.length() == 0) {
+      throw new IOException("Running in secure mode, but config doesn't have a keytab");
+    }
 
     String principalConfig = conf.get(userNameKey, System
         .getProperty("user.name"));
diff --git a/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java b/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java
index 14ec74372d0..d5a3a25f909 100644
--- a/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java
+++ b/src/test/core/org/apache/hadoop/security/TestSecurityUtil.java
@@ -16,12 +16,15 @@
  */
 package org.apache.hadoop.security;
 
-import static org.junit.Assert.*;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
 
 import java.io.IOException;
 
 import javax.security.auth.kerberos.KerberosPrincipal;
 
+import org.apache.hadoop.conf.Configuration;
+import org.junit.Assert;
 import org.junit.Test;
 
 public class TestSecurityUtil {
@@ -70,4 +73,23 @@ public class TestSecurityUtil {
     verify(shouldNotReplace, hostname, shouldNotReplace);
     verify(shouldNotReplace, shouldNotReplace, shouldNotReplace);
   }
+  
+  @Test
+  public void testStartsWithIncorrectSettings() throws IOException {
+    Configuration conf = new Configuration();
+    conf.set(
+        org.apache.hadoop.fs.CommonConfigurationKeys.HADOOP_SECURITY_AUTHENTICATION,
+        "kerberos");
+    String keyTabKey="key";
+    conf.set(keyTabKey, "");
+    UserGroupInformation.setConfiguration(conf);
+    boolean gotException = false;
+    try {
+      SecurityUtil.login(conf, keyTabKey, "", "");
+    } catch (IOException e) {
+      // expected
+      gotException=true;
+    }
+    assertTrue("Exception for empty keytabfile name was expected", gotException);
+  }
 }